MEDIUM 5.3
GHSA-jfvg-qm4p-473x
InternLM LMDeploy code injection vulnerability
Details
A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been declared as critical. Affected by this vulnerability is the function Open of the file lmdeploy/docs/en/conf.py. The manipulation leads to code injection. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / lmdeploy
Introduced in:
0 No fixed version published yet for lmdeploy (pip). Pin to a known-safe version or switch to an alternative.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-3163 [ADVISORY]
- https://github.com/InternLM/lmdeploy/issues/3254 [WEB]
- https://github.com/InternLM/lmdeploy/issues/3254#issue-2918865448 [WEB]
- https://github.com/InternLM/lmdeploy [PACKAGE]
- https://vuldb.com/?ctiid.303109 [WEB]
- https://vuldb.com/?id.303109 [WEB]
- https://vuldb.com/?submit.542527 [WEB]